* [gentoo-hardened] whitelist of apps granted network access?
@ 2008-11-25 15:13 Jan Klod
2008-11-25 19:21 ` schism
0 siblings, 1 reply; 3+ messages in thread
From: Jan Klod @ 2008-11-25 15:13 UTC (permalink / raw
To: gentoo-hardened
Is there some known good way to make an effective whitelist of applications,
which are granted network access?
By the way, there is another related question: I remember, I once started
googleearth as user1 and had firefox running as user2; really, googleearth
opened link into user2's firefox! So I can easily have an illusion of
protection such a way (user1 application bypasses firewall by signalling
user2 application somehow).
What the question really is? How can I know, that particular application can
make / accept a dangerous signal (or other interprocess comm.) and how can I
forbid that, if necessary?
Jan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] whitelist of apps granted network access?
2008-11-25 15:13 [gentoo-hardened] whitelist of apps granted network access? Jan Klod
@ 2008-11-25 19:21 ` schism
2008-11-25 20:44 ` Javier Martínez
0 siblings, 1 reply; 3+ messages in thread
From: schism @ 2008-11-25 19:21 UTC (permalink / raw
To: gentoo-hardened
On Tue, Nov 25, 2008 at 05:13:03PM +0200, Jan Klod wrote:
> Is there some known good way to make an effective whitelist of applications,
> which are granted network access?
More or less; both grsecurity's RBAC and SElinux support this, but on a per-user
basis, not per-application. Novell's AppArmor does things by path (application)
instead of user. You may also specify CONFIG_GRKERNSEC_SOCKET in your kernel
configuration for less granular control (deny server or client sockets by GID).
You may also somewhat approximate that with the 'owner' module in iptables, but
administration quickly becomes cumbersome.
> By the way, there is another related question: I remember, I once started
> googleearth as user1 and had firefox running as user2; really, googleearth
> opened link into user2's firefox! So I can easily have an illusion of
> protection such a way (user1 application bypasses firewall by signalling
> user2 application somehow).
You likely had both users running under the same X display and were using one
of the more user-friendly window managers. Add Xauth into the mix, and your
result doesn't surprise me.
> What the question really is? How can I know, that particular application can
> make / accept a dangerous signal (or other interprocess comm.) and how can I
> forbid that, if necessary?
More than likely, the issue you perceive is not with the underlying access
control mechanisms, but with the way some system configurations bypass those
controls to make things more user-friendly. GUI apps in particular have dozens
of ways to communicate with each other, depending on the windowing environment,
and you'll drive yourself insane trying to prevent all but the "good" ones. If
two applications absolutely cannot be allowed to communicate, run them in
separate machines.
--dc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] whitelist of apps granted network access?
2008-11-25 19:21 ` schism
@ 2008-11-25 20:44 ` Javier Martínez
0 siblings, 0 replies; 3+ messages in thread
From: Javier Martínez @ 2008-11-25 20:44 UTC (permalink / raw
To: gentoo-hardened
RSBAC permits network access control. Maybe you could do what you are
looking for with the RC model
2008/11/25 <schism@subverted.org>:
> On Tue, Nov 25, 2008 at 05:13:03PM +0200, Jan Klod wrote:
>> Is there some known good way to make an effective whitelist of applications,
>> which are granted network access?
>
> More or less; both grsecurity's RBAC and SElinux support this, but on a per-user
> basis, not per-application. Novell's AppArmor does things by path (application)
> instead of user. You may also specify CONFIG_GRKERNSEC_SOCKET in your kernel
> configuration for less granular control (deny server or client sockets by GID).
> You may also somewhat approximate that with the 'owner' module in iptables, but
> administration quickly becomes cumbersome.
>
>> By the way, there is another related question: I remember, I once started
>> googleearth as user1 and had firefox running as user2; really, googleearth
>> opened link into user2's firefox! So I can easily have an illusion of
>> protection such a way (user1 application bypasses firewall by signalling
>> user2 application somehow).
>
> You likely had both users running under the same X display and were using one
> of the more user-friendly window managers. Add Xauth into the mix, and your
> result doesn't surprise me.
>
>> What the question really is? How can I know, that particular application can
>> make / accept a dangerous signal (or other interprocess comm.) and how can I
>> forbid that, if necessary?
>
> More than likely, the issue you perceive is not with the underlying access
> control mechanisms, but with the way some system configurations bypass those
> controls to make things more user-friendly. GUI apps in particular have dozens
> of ways to communicate with each other, depending on the windowing environment,
> and you'll drive yourself insane trying to prevent all but the "good" ones. If
> two applications absolutely cannot be allowed to communicate, run them in
> separate machines.
>
> --dc
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-11-25 20:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-25 15:13 [gentoo-hardened] whitelist of apps granted network access? Jan Klod
2008-11-25 19:21 ` schism
2008-11-25 20:44 ` Javier Martínez
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox